There is an ongoing debate on the need for new regulations that protect individuals’ personal data. Regulation is said to be required to protect the personal data of citizens, consumers, patients, etc., both against corporate service providers as well as against governments.
There is a growing concern about the implications of the data collection habits of social network operators, such as Facebook, as well as other service providers. Even those individuals who claim to not see any tangible risk behind the massive collection of data on themselves by service providers, still feel unease with the amount of data available on them, and on which they have no control.
On the state side, knowing that your government may monitor every single email and phone call reminds of George Orwell’s book “nineteen eighty-four". It is largely agreed that this practice, if not outright eliminated, shall at least be better controlled.
This essay discusses the two possible domains for such better control: technology and regulation, arguing that the former is tremendously more effective than the latter.
It is believed in some circles that a change of regulation may be sufficient for protecting individuals against wholesale surveillance or against excessive data collection by service providers. If only the right laws were in place, privacy could be preserved.
Undoubtedly, the concept of imposing restrictions by merely stating them out clearly in a legal document is comforting. Stating such laws and regulations is far from easy. Writing laws properly is difficult, let alone handling the associated lobbies and political influences. However, it still forms an easier way to impose restrictions when compared to somehow imposing them technically. Specifying a regulation is like stating an agreeable requirement, whereas deploying technology that enforces such a regulation can be seen as implementing this requirement in practice.
Moreover, technical restrictions also have their drawbacks. In some situations they cannot be imposed and the technology landscape changes often. Also, some domains of problems still lack an efficient technical solution; one example being the combination of anonymity with accountability, as required for secure Internet voting.
Yet still, although setting regulations may be easier than developing restricting technologies, I stress that addressing privacy concerns by regulation alone shall be treated as the last resort, reserved only for those situations where technical countermeasures cannot be applied. The reason is that technology is tremendously more reliable than law.
Governments worldwide have a track record of bypassing their own regulations, or at least their spirit, often by exploiting legal loopholes. The Center of Democracy and Technology explains here how the legal system in the US makes it easier to tap into e-mails than into phone calls, although the privacy impact is essentially the same, just because e-mails are not only transmitted but are also stored. Also, The Guardian reports here about mass delivery of call metadata from Verizon to the NSA, without a warrant of course. How? – Call “metadata” (who called whom, when, for how long, and where the participants physically were), is not legally considered as “communication", and thus does not require a warrant to obtain it. Knowing where you are and who you call when, is indeed private data in most eyes, but does not enjoy the same protection as the contents of your conversation.
This line of behavior is not reserved to governments alone. Whenever a law or regulation stands between a company and a desired outcome, efforts will be put to the task of either changing the law, or of finding loopholes around it. Lastly, if the cause is worthy enough, a company may just ignore the law and consider litigation as part of the managed risk of doing business.
It is important to understand that as opposed to technical restrictions that, if made effective, cannot be broken unless with immense efforts, breaking the limits posed by legal hurdles is treated by the private sector as merely a risk management quiz. Consequently, the practical effectivity of laws and regulations cannot be taken outside the context of the benefits that breaking that law entails. This makes the effectivity of laws and regulations impossible to foresee.
When data collection is controlled by regulation alone, the benefits of disobeying the regulation shall be considered as part of the indication of the regulation’s effectivity. Unfortunately, this value is seldom known in advance. Governments and service providers are likely to break the law to certain extents, when the benefit is worth the risk; a benefit that it is hard to foreknow.
On the other hand, when technical restrictions are imposed on the collection of private data, only the adversary capabilities and technical advances need to be considered when assessing the effectivity of the countermeasure. Many missing values exist, and the model requires some guesswork, but this uncertainty is tactical rather than conceptual.
As a side note, it might be useful to think of corporate procedures as an analogy to this problem. Almost all information security personnel will agree that corporate procedures shall only be used to enforce a policy in situations where technology cannot help. To illustrate, a procedure may be put in place to forbid the sharing of passwords, because prevention of shared passwords cannot be accomplished by computerized means. However, password lifetime, a restriction that can easily be imposed technically, is always enforced by technology rather than by a procedure requesting the user to change his password at his own will once in a while. This preference is clear because we consider technical restrictions to be more robust than procedural ones, for reasons that do not differ greatly from those discussed above.
To summarize, if we really want to restrict the amount of personal data collected on us, we shall spend more efforts on the development of technologies that prevent data from being abused, and less on additional legal measures.